Identity and Access Management and electronic Identities _ Belgian Federal Government
-
Upload
e-government-center-moldova -
Category
Technology
-
view
1.205 -
download
3
description
Transcript of Identity and Access Management and electronic Identities _ Belgian Federal Government
Identity and Access Mgmt and
electronic Identities
Belgian Federal Government
Walter Van Assche
January 16th, 2012
Chisinau
ELECTRONIC IDENTITY
(CARD)
Goal eID project• To give Belgian citizens an electronic identity
card enabling them to authenticate themselves
towards diverse applications and to put digital
signatures
Proof of identity
Signature tool
eID partners
The eID as an e-gov. building block
Belgian eID Project Time line
22 Sept 2000: Council of Ministers approves eID card concept study
2000
19 July 2001: Council of Ministers approves basic concepts (smart card, citizen-
certificates, no integration with SIS card, Ministry of Internal Affairs is
responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card
production, legal framework,… Fedict for certification services
2001
Start of 2009: all citizens have an eID
card
2009
13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures
1999
3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to NV Steria
2002
27 Sept 2002: Council of
Ministers assigns card
production to NV Zetes,
certificate services to NV
Belgacom
2002
9 May 2003: first pilot municipality
starts issuing eID cards 25 July 2003: eleventh pilot municipality started
31 March 2003: first 4 eID cards
issued to civil servants
2003 2004
25 January 2004: start of pilot phase evaluation
September 2005: all newly issued ID
cards are eID cards
2005
27 September 2004: start of nation-wide roll-out
The eID “product family”
Kids-ID
Foreigner-ID
eID
8
The eID: results• eID:
– More than 8.6 Million cards issued (2nd wave)
• Kids-ID:
– Potential: 1,3 Million cards
– More than 100.000 cards issued since March 2009
• Foreigner-ID:
– Potential: 1,5 Million cards
– More than 150.000 cards issued since 2008
Internet
Web Server
External Portal
Application
Server
Web Server
Federal ePortal
ePortal
User
LDAP
External Firewall
Application
Server
1) Request
3) Login in ePortal
Authentication page
4.2) Checking Credetials
2) Redirect to ePortal
Login page
5.1) Redirect with SAML
Response (Posting with
JavaScript)
5.2) Redirect with SAML
Response
External Firewall
4.1) Checking Credetials
6) Session Creation
How does it work?
Alternatives with different security
levels• Different security levels :
– level 0 : Public access
– level 1 : User name + Password
– level 2 : User name + Password + Token
– level 3 : Electronic identity card
• Future evolutions (based on eID) :
– Mobile Identity
– One Time Password Generators?
Level 0
Level 1
Level 2
Level 3
IDENTITY AND ACCESS
MANAGEMENT IN EGOV
UserApplication
Getting access
© Fedict 2009. All rights reserved | p. 12
What is IAM?
A simple story…
UserApplication
Identification
& authentication
Getting access
© Fedict 2009. All rights reserved | p. 13
What is IAM?
A simple story…
UserApplication
Identification
& authentication
Attributes
(Name,
Company,…)
NRNKBO
Notarissen …
Getting access
What is IAM?
A simple story…
UserApplications
Identification
& authentication
Attributes
(Name,
company,…)
NRNKBO
Notarissen …
Getting access
What is IAM?
A simple story…
Permissions
Roles
Chief Security Mgr
UserApplication
Identification
& authentication
Attributes
(Name,
Company,…)
NRNKBO
Notarissen …
Getting access
Legal Representative
KBO
Granting access
© Fedict 2009. All rights reserved | p. 16
What is IAM?
A simple story…
Permissions
Work
flow
Security Manager
Roles
© Fedict 2009. All rights reserved | p. 17
IAM…. In a complex reality
Manage
Identity
Manage
Virtual
Identity
Attestation
Reporting
Risk
Definition
Relying Party
Management
Auditing
Manage
Organizationa
l Membership
Manage Role
Definition
Manage
Permission
Mandate
Management
Manage
Domains
Manage
Contexts
Request
Permission
Authenticate
Process overview
© Fedict 2009. All rights reserved | p. 18
Relevance of IAM within
eGovernment context
Transparance:
• Granting of transparant access to different applications and information sources of the Belgian government
Security:
• Avoid unauthorized access to information sources and applications of the federal government
Trust and trustworthy:
• Decent service provider
Autonomy:
• Ensure the “uniqueness” of each of the partners
Governance structure:
• The rules and agreements within an IAM context
© Fedict 2009. All rights reserved | p. 19
Security management
>> An historical agreement
An agreement is being defined between Belgian government partners, providing a
basis for an integrated security management
A joint security management platform will be offered as a managed service
All partners can participate in the steering group of the joint platform
…..
Federated context
>> co-existance
Context of OCMW Context of Federale governmentContext of local governments
© Fedict 2009. All rights reserved | p. 21
Federated context: Example
>> Digiflow
UserDigiflow
Identification
& authentication
Attributes
(Name,
Company,…)
NRNKBO
Notarissen …
Permissions
Getting access
UserTax on web
Identification
& authentication
Attributes
(Name,
Company,…)
NRNKBO
…
Getting access
Legal represetative
Head Security Mgr
Permissions
Security Mgr
Roles
Work
flo
w
KBO
Granting access
© Fedict 2009. All rights reserved | p. 22
Federated context: Example
>> Tax on Web for accountants Mandate Mgt
Fedict IAM offeringTrusted Third Party
Auth
entic
sourc
es
Circ
le o
f Tru
stFAS
Role
Adm
in
Application A
Application X
RR
BIS
KBO
User
Rely
ing P
arty
Admin
…
Fedict IAM evolutionCurrent building blocks Optimized building blocks
RoleMgt
Authentication
UserMgt
Role Admin
Citizen Admin
TUM Self
Service
Magma
MagmaWS
FAS1FAS+
Attribute
Service
CSAdmin
VOSync
Reporting
RoleMgt
Authentication
UserMgt
Self
Registration
Self
Management
User Lifecycle
ManagementRisk
Management
Role Definition
Management
Role
Assignment
Organization
Assignment
Identification &
Authentication
Attribute
Publication
Relying Party
Management
Reporting
Management
EU pilots that work on
cross-border interoperability
© fedict 2011. All rights reserved
Company Dossier
Citizen IDC
itiz
en
ID
Co
mp
any
ID
Privacy
TransportInfrastructure
Company Dossier
Citizen ID
Cit
ize
n ID
Co
mp
any
ID
Privacy
TransportInfrastructure
Tra
nsp
ort
In
fra
stru
ctu
re
Overview of LSP’s Collaborations
Thank you
Fedict
Maria-Theresiastraat 1/3 Rue Marie-Thérèse
Brussel 1000 Bruxelles
TEL. +32 2 212 96 00 | FAX +32 2 212 96 99
[email protected] | www.fedict.belgium.be